b"                               INDEPENDENT EVALUATION OF\n\n                        SBA\xe2\x80\x99S INFORMATION SECURITY PROGRAM\n\n                                      REPORT NUMBER 5-02\n\n                                          OCTOBER 7, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and must not be\nreleased to the public or another agency without permission of the Office of Inspector General.\n\x0c                    U.S. SMALL BUSINESS ADMINISTRATION\n                        OFFICE OF INSPECTOR GENERAL\n                            WASHINGTON, D.C. 20416\n\n                                                              ADVISORY MEMORANDUM\n                                                                     REPORT\n                                                              Issue Date: October 7, 2004\n                                                              Number: 5-02\n\nTo:            Hector V. Barreto\n               Administrator\n\n               Stephen D. Galvan\n               Chief Operating Officer / Chief Information Officer\n\n                      /s/\nFrom:          Robert G. Seabrooks\n               Assistant Inspector General for Audit\n\nSubject:       Independent Evaluation of SBA\xe2\x80\x99s Information Security Program\n\n        The Federal Information Security Management Act (FISMA) requires the Office\nof Inspector General (OIG) to perform an independent evaluation of the Small Business\nAdministration's (SBA) information security program. This report presents the results of\nthat evaluation in accordance with specific FISMA reporting instructions issued by the\nOffice of Management and Budget (OMB).\n\n                       OBJECTIVES, SCOPE AND METHODOLOGY\n\n        The objective of our review was to evaluate SBA\xe2\x80\x99s information security program\nin accordance with FISMA reporting requirements specified in OMB Memorandum\nM-04-25. We performed an independent evaluation of SBA\xe2\x80\x99s information security\nprogram to reach conclusions about the FISMA reporting areas. In making our\nevaluation, we considered prior audits related to SBA\xe2\x80\x99s information systems computer\nsecurity program issued by our office.\n\n        Our assessment covered the 37 high-priority systems identified by SBA and its\ncharacterization of the susceptibility of those systems to unauthorized access as of\nSeptember 15, 2004. OMB Memorandum M-04-25 identified that we were to report\nsignificant deficiencies in SBA\xe2\x80\x99s overall information systems security program or\nmanagement structure. A significant deficiency under FISMA is a weakness in an\nagency\xe2\x80\x99s overall information systems security program or management control structure,\nor within one or more information systems, that significantly restricts the capability of the\nagency to carry out its mission or compromises the security of its information,\n\x0cinformation systems, personnel, or other resources, operations, or assets. A significant\ndeficiency is to be reported by the Agency as a material weakness under the Federal\nManagers Financial Integrity Act (FMFIA) report.\n\n        We interviewed SBA officials and reviewed documentation on SBA\xe2\x80\x99s\ninformation security program. Our evaluation was performed at SBA\xe2\x80\x99s headquarters\noffice in Washington, D.C. from April 2004 through October 2004.\n\n\n                              OVERALL EVALUATION\n\n        Generally for FY 2004, the SBA\xe2\x80\x99s computer security program has shown mixed\nresults. SBA achieved a major milestone in certifying and accrediting all of its major\nsystems within the past fiscal year. However, SBA has not been able to sufficiently\naddress the 248 open system risk assessment vulnerabilities and open OIG audit findings\nincluding 118 open risk assessment vulnerabilities and 14 OIG audit findings which have\nexceeded their estimated target date for completion to correct the issues identified.\n\n       The OIG identified five (5) significant deficiencies in SBA\xe2\x80\x99s computer security\nprogram. Moreover, these deficiencies were previously identified in 11 OIG\nrecommendations, which if adopted in full, would address related security risks and\nexposures.\n\n\nFinding 1: Computer Security Capital Planning is not FISMA Compliant\n\n        SBA does not have a capital planning process that is compliant with FISMA\nrequirements from either a budgeting or an actual expenditure tracking capability. This\noccurred because SBA\xe2\x80\x99s capital planning process does not tie to or reconcile with the\nSBA Plan of Actions & Milestones (POA&M), the SBA Exhibit 53, and SBA Capital\nAsset Plans. Additionally, there is no expenditure tracking of security related costs in\nSBA\xe2\x80\x99s accounting system. As a result, SBA cannot be assured that those funds identified\nin the POA&M, requested in the Capital Asset Plans and Exhibit 53 for remediating\nsecurity vulnerabilities is actually appropriated and spent for correcting security\nvulnerabilities in SBA systems.\n\n        According to OMB Memorandum 04-25, the POA&M identifies the resources\nrequired to accomplish the elements of the plan, any milestones in meeting the task, and\nscheduled completion dates for the milestones. The purpose of a POA&M is to assist\nagencies in identifying, assessing, prioritizing, and monitoring the progress of corrective\nefforts for security weaknesses found in programs and systems. The Agency POA&M\nmust be tied to the agency\xe2\x80\x99s budget submission through the unique project identifier of a\nsystem. This links the security costs for a system with the security performance of a\nsystem.\n\n       We reviewed the SBA POA&M as of 9/15/04 with the separate SBA Capital\nAsset Plans, and Exhibit 53. We could not reconcile or tie either the individual system\n\n\n                                             3\n\x0cPOA&M to the SBA Capital Asset Plans and SBA Exhibit 53 for specific relevant\nsystems. Additionally, we could not reconcile or tie the \xe2\x80\x9csteady-state\xe2\x80\x9d SBA system\nPOA&M\xe2\x80\x99s with the \xe2\x80\x9cmeta\xe2\x80\x9d SBA Capital Asset Plan and Exhibit 53 for all SBA systems\nthat are not in a development status. Finally, there was no specific project cost\ncapabilities set-up within SBA\xe2\x80\x99s accounting system to track specific security\nexpenditures relating to SBA systems so that their security control costs would be\nintegrated into the life-cycle of SBA systems.\n\nThe SBA Joint Accounting and Administrative Management System (JAAMS) are\nreported here as an example:\n\n                  POA&M              Exhibit 53         Capital Asset      Amount spent\n                  Amount Spent       (5% of cost        Plan \xe2\x80\x93 300B        as recorded in\n                  or Planned for     allocation)        (5% of cost        SBA\xe2\x80\x99s\n                  Security                              allocation)        accounting\n                                                                           system\nFY2004            $0                 $64,150            $64,150            $0\nFY2005            $56,000            $41,300            $41,250\n\nRecommendations: We recommend that the Chief Operating Officer in conjunction\nwith the Office of Chief Financial Officer:\n\n1.A.   Ensure that system and program level SBA Plan of Action & Milestones\n       (POA&M) tie or reconcile resources needed to correct system vulnerabilities to\n       the SBA Capital Asset Plans (300B) and Exhibit 53.\n\n1.B    Create costing or charge-back capabilities within SBA\xe2\x80\x99s accounting system to\n       track security related expenditures for SBA\xe2\x80\x99s system and program level Plans of\n       Actions and Milestones (POA&M).\n\n\n                                          ***\n       The OIG FISMA report is attached in the format prescribed and utilizing a\ntemplate file which was provided by OMB.\n\n        The findings included in this report are the conclusions of the Auditing Division.\nThe findings and recommendations are subject to review and implementation of\ncorrective action by your office following the existing Agency procedures for audit\nfollow-up and resolution.\n\n        Please provide us your management decision for each recommendation within 30\ndays. Your management decisions should be recorded on the attached SBA Forms 1824,\nRecommendation Action Sheet,\xe2\x80\x9d and show either your proposed corrective action or\ntarget date for completion, or explanation of your disagreement with our\nrecommendations.\n\n\n                                             4\n\x0c       Should you or your staff have any questions, please contact Jeffrey R. Brindle,\nDirector, IT and Financial Management Group at (202) 205-7490.\n\nAttachment\n\n\n\n\n                                            5\n\x0cWithheld from public release: 17 pages of technical information.\n\nRationale: FOIA Exemption 2\n\n\n\n\n                                           6\n\x0c                                                                                                    ATTACHMENT A\n\n\n\n                                         REPORT DISTRIBUTION\n\n\nRecipient                                                                                                 No. of Copies\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown ........................................................................................1\n\nGeneral Counsel.......................................................................................................3\n\nDeputy Chief Information Officer ...........................................................................1\n\nChief Financial Officer ............................................................................................1\n\nU.S. Government Accountability Office .................................................................1\n\x0c"